Syslogd is the main logging tool on a GNU/Linux system. It centrally manages logging for your main system services. This does not provide logging for additional programs as webservers or mailsevers that have their own logging facilities.

The syslogd is taken from BSD sources, Greg Wettstein (greg@wind.enjellic.com) performed the port to GNU/Linux, Martin Schulze (joey@linux.de) made some bugfixes and added some new features.

2. Useful resources

There are some other logging tools that you could use, some of them are certainly more secure than the default syslogger.

NSyslogd - http://coombs.anu.edu.au/~avalon/nsyslog.html

3. Install and configuration

On most (not to say all) GNU/Linux-distro the syslog daemon will be installed.

When you want to log messages to another host, you need to make sure that this host is capable of accepting log-messages. First of all, the daemon needs to know on what port to listen. For this you need to check the file /etc/services and look for the line

syslog 514/udp

If it is missing, just add it!

Next, check with netstat -an that there's 'something' listening on udp-port 514. If it's not, this mains that your daemon isn't started right. Edit the file /etc/init.d/syslog (or whatever startup script you use for starting the syslog-daemon) and make sure it looks something like this.

extract of /etc/init.d/syslog

 case "$1" in
   start)
    echo -n "Starting system logger: "
    # we don't want the MARK ticks
    daemon syslogd -r -m 0
    RETVAL=$?
    echo
    echo -n "Starting kernel logger: "
    daemon klogd
    echo
    [ $RETVAL -eq 0 ] && touch /var/lock/subsys/syslog
    ;;

The -r option starts the daemon so that it can accept messages from other hosts. Now just restart the syslog daemon with

/etc/init.d/syslog restart

When you check the output of netstat -an there should be something on udp-port 514.

4. Configure the clients

When your syslog-server is up and running you now need to provide the clients with the information so that they can log to this server.

Open the file /etc/syslog.conf in your favorite editor and make it look something similar like this

extract of /etc/syslog.conf

 # Log all kernel messages to the console.
 # Logging much else clutters up the screen.
 #kern.*   /dev/console

 # Log anything (except mail) of level info or higher.
 # Don't log private authentication messages!
 *.info;mail.none;authpriv.none;cron.none   /var/log/messages

 # Log all the mail messages in one place.
 mail.*   /var/log/maillog

 # Everybody gets emergency messages, plus log them on another
 # machine.
 *.emerg   *

 # Log to external server
 *.info;mail.none;authpriv.none;cron.none   @syslogger.mydomain.com

This would log to syslogger.mydomain.com :

*.info
everything with general information
mail.none
log nothing for mail
authpriv.none
log nothing that's for private authorization related
cron.none
log nothing for cron

Now just reload the syslogger with

/etc/init.d/syslog reload

and check the messages on your syslog-server.

5. Security

Make sure you firewall-out the syslog-port. Otherwise your server could become rapidly a 'playground' for script-kiddies. Your logs would be filled before you've noticed it.

The default syslogger hasn't many (in fact...none) security settings. If you don't feel comfortable with this idea, try one of the other loggers mentioned above.

Copyleft 2002-2007 - cudeso.bewebmaster@cudeso.be	top
Fortune : You will pioneer the first Martian colony.

Syslogger

Contents